Word to the Wisehttps://wordtothewise.com
Tue, 03 Mar 2015 01:43:22 +0000en-UShourly1http://wordpress.org/?v=4.2-alpha-31331Engaging emails for better deliveryhttps://wordtothewise.com/2015/03/engaging-emails-better-delivery/
https://wordtothewise.com/2015/03/engaging-emails-better-delivery/#commentsTue, 03 Mar 2015 01:43:22 +0000https://wordtothewise.com/?p=7969MessageSystems is sponsoring a webinar hosted by Direct Marketing discussing engagement as part of delivery. What kind of emails ISPs are really watching out for How engaging your customers could impact your deliverability Best practices for email compliance What’s next in the email landscape The ISP speaker is Matt Moleski, Senior Director of National Customer Security […]

The ISP speaker is Matt Moleski, Senior Director of National Customer Security at Comcast. He is sure to be interesting. It’s possible we’ll even hear something different than what we hear from the webmail providers.

]]>https://wordtothewise.com/2015/03/engaging-emails-better-delivery/feed/1Friday fun stuffhttps://wordtothewise.com/2015/02/friday-fun-stuff/
https://wordtothewise.com/2015/02/friday-fun-stuff/#commentsFri, 27 Feb 2015 23:22:25 +0000https://wordtothewise.com/?p=7964Between the rampaging llamas and a photo optical illusion the internet has been a silly, silly place the last 24 hours. I have a little present for folks. I hinted there may be pictures from Kilt Day at M3AAWG in an earlier post. There are, and all of the subjects have granted permission for me […]

]]>https://wordtothewise.com/2015/02/friday-fun-stuff/feed/0A must read on engagementhttps://wordtothewise.com/2015/02/must-read-engagement/
https://wordtothewise.com/2015/02/must-read-engagement/#commentsFri, 27 Feb 2015 17:39:19 +0000https://wordtothewise.com/?p=7962I really can’t add anything to what Chad wrote in Opens, Clicks, And Blocks In The Third Age Of Email Deliverability

]]>https://wordtothewise.com/2015/02/must-read-engagement/feed/0Aetna, phishing and securityhttps://wordtothewise.com/2015/02/aetna-phishing-security/
https://wordtothewise.com/2015/02/aetna-phishing-security/#commentsThu, 26 Feb 2015 23:37:45 +0000https://wordtothewise.com/?p=7943We’ve just gotten home from M3AAWG and I’m catching up with a lot of the administrative stuff that’s gotten ignored while we were soaking up the tons of information from some of the smartest Internet security folks around. One of the tasks I’m working on is checking on our recent bills from our health insurance […]

]]>We’ve just gotten home from M3AAWG and I’m catching up with a lot of the administrative stuff that’s gotten ignored while we were soaking up the tons of information from some of the smartest Internet security folks around. One of the tasks I’m working on is checking on our recent bills from our health insurance provider. Their website seems to be down, so I called them up and asked them if it was down or if something was broken on my end.

They did confirm there was a problem with the site “earlier today” but then started asking me for my account information. They’ve promised to email me a new password because of reasons.

One of the things about M3AAWG is that concentrated discussions about spam and online criminals and security can make everything feel so fragile and security so inadequate to protect us against criminals. I start thinking that everything is compromised. It doesn’t help that websites fail just at the time when I start trying to figure out if my personal information leaked out.

In the course of trying to figure out if there is something wrong at Aetna and if my personal information is safe, I find an article about how poor security is for health companies. “Health companies flunked an email security survey—except Aetna.” Apparently, out of all the health companies out there, Aetna are the only ones fully implementing DMARC on all their mail streams.

The problem is that for the mail I received from Aetna, the visible From: address is AetnaeBilling@aetnagroupbilling.com. This is one of the major vulnerabilities of DMARC. How can I, as a recipient, tell that this is officially mail from Aetna? Any phisher could register “aetnabilling.com” or “aetnagoupbilling.com” or “aetnaebilling.com” and publish DMARC records and use those records to phish customers. Even worse, aetnagroupbilling.com isn’t a SSL registered website.

This is exactly the type of setup a phisher would use to gain access to people’s health insurance accounts. And Aetna offers the ability to draft payments directly from a business checking account, so breaking into the billing account also offers some level of access to the business money.

]]>https://wordtothewise.com/2015/02/aetna-phishing-security/feed/0Salesforce SPF and now DKIM supporthttps://wordtothewise.com/2015/02/salesforce-spf-now-dkim-support/
https://wordtothewise.com/2015/02/salesforce-spf-now-dkim-support/#commentsTue, 24 Feb 2015 18:03:52 +0000https://wordtothewise.com/?p=7945Salesforce has published a SPF record for sending emails from Salesforce for years and with the Spring ’15 release, they will provide the option to sign with DKIM. The SPF record is straight forward, include:_spf.salesforce.com which includes _spf.google.com, _spfblock.salesforce.com, several IP address blocks, mx, and ends with a SoftFail ~all. Salesforce Knowledge Article Number: 000006347 […]

DKIM signing of outbound email is available for Enterprise, Unlimited, and Developer Editions. Salesforce recommends that you add the public key to your DNS before activating DKIM signing. There is a limit of 1 DKIM key per domain and Salesforce gives you the option to domain match and sign emails for the domain only, subdomain only, or domain and subdomains. More information about Salesforce DKIM signing can be found within their Spring 15’ Release Notes.

The ability to sign with non-Salesforce DKIM keys means that Salesforce users now have the option to use DMARC. Prior to this change all mail was authenticated as coming from Salesforce, which is perfectly acceptable and how authentication works. The ability to sign with the users’ DKIM key and domain means large Salesforce users are now able to track authentication failures or publish DMARC policy requests.

]]>https://wordtothewise.com/2015/02/salesforce-spf-now-dkim-support/feed/0Back from M3AAWGhttps://wordtothewise.com/2015/02/back-m3aawg/
https://wordtothewise.com/2015/02/back-m3aawg/#commentsMon, 23 Feb 2015 22:02:29 +0000https://wordtothewise.com/?p=7951Last week was the another M3AAWG meeting in San Francisco. The conference was packed full of really interesting sessions and things to learn. Jayne’s keynote on Tuesday was great, and brought up a lot of memories of just what it was like to be fighting spam and online abuse in the mid to late 90s. […]

]]>Last week was the another M3AAWG meeting in San Francisco. The conference was packed full of really interesting sessions and things to learn. Jayne’skeynote on Tuesday was great, and brought up a lot of memories of just what it was like to be fighting spam and online abuse in the mid to late 90s. It’s somewhat amazing to me that many of the people I first met, or even just heard about are still actively working to fight abuse and make the Internet safer.

Wednesday was another great keynote from Facebook, discussing security. Facebook is committed to sharing threat information and has started the ThreatExchange website as a hub for sharing data among large companies.

One thing that was amusing was during one talk someone mentioned YubiKey for managing logins. They said many people were sharing long strings of random keys that sometimes happen because someone has accidentally triggered the one time passcode. YubiKey is awesome, if sometimes ccccccdkhjnbitklrrtnhjrdfgdlhektfnfeutgtdcib inscrutable.

As has become a bit of a M3AAWG tradition lately, Wednesday was also kilt day. There may be pictures. For those of you planning to go to Dublin, Wednesday will be kilt day as well.

The conference was great, but ended on a bit of a down note. We received word that Wednesday night a long time friend, Ellen R., passed away due to complications from a stroke. The conference held a moment of silence for her at the end. Ellen was a friend as well as a colleague. She was around on IRC when we started this crazy experiment called Word to the Wise and was always helpful and insightful. She volunteered with, and then worked for, Spamcop and then volunteered with Spamhaus. Ellen will be very missed.

I started off the conference remembering all the friends I made back in the late 90s and ended it remembering and missing those who are no longer around. Email has been one amazing journey, and doesn’t look like it’s going away anytime soon.

]]>https://wordtothewise.com/2015/02/back-m3aawg/feed/0Mary Litynski Award winner Jayne Hitchcockhttps://wordtothewise.com/2015/02/mary-litynski-award-winner-jayne-hitchcock/
https://wordtothewise.com/2015/02/mary-litynski-award-winner-jayne-hitchcock/#commentsTue, 17 Feb 2015 21:17:46 +0000https://wordtothewise.com/?p=7938This morning the Messaging, Mobile and Malware Anti-Abuse Working Group announced the winner of the Mary Litynski Award. Congratulations to Jayne Hitchcock of WHO@ for her work over the last 2 decades fighting online abuse and cyberstalking. I’ve never actually met Jayne, but I do remember following her story in the late 90s. She started […]

]]>This morning the Messaging, Mobile and Malware Anti-Abuse Working Group announced the winner of the Mary Litynski Award.

Congratulations to Jayne Hitchcock of WHO@ for her work over the last 2 decades fighting online abuse and cyberstalking.

I’ve never actually met Jayne, but I do remember following her story in the late 90s. She started off trying to protect people from being scammed by Woodside Literary Agency. In return for her work to inform and protect people the principals of Woodside set out on a multi-year harassment campaign against her.

This was in the late 90s and the Internet was very new. There weren’t any laws. There weren’t really abuse desks. We had to protect each other. Law enforcement didn’t know what to do with problems. There weren’t any laws against harassment online. The word “cyberstalking” was created by a reporter when describing what was happening to Jayne.

Jayne has been a force for good online and she and her volunteers help people who are victims of abuse online and cyberstalking. She’s been instrumental in getting anti-cyberstalking laws passed and helping law enforcement understand why online abuse is an issue and that it should be addressed.

]]>https://wordtothewise.com/2015/02/mary-litynski-award-winner-jayne-hitchcock/feed/0‘Tis the seasonhttps://wordtothewise.com/2015/02/tis-the-season/
https://wordtothewise.com/2015/02/tis-the-season/#commentsFri, 13 Feb 2015 19:38:38 +0000https://wordtothewise.com/?p=7921It’s the time of the year, when we celebrate a holiday by telling you about email. Using stock photography … … of varying levels of … … desperation. Some look nice … … some don’t. Most use a specific cliché … … some don’t. But whatever stock photography you use … … your Subscribers are for Life, […]

]]>https://wordtothewise.com/2015/02/tis-the-season/feed/0What is an open?https://wordtothewise.com/2015/02/open/
https://wordtothewise.com/2015/02/open/#commentsThu, 12 Feb 2015 01:45:00 +0000https://wordtothewise.com/?p=7916I was having a discussion today with a few industry colleagues about engagement and open rates. It was a good discussion and inspired a couple blog posts. Engagement totally matters, Engagement affects deliverability, and ISPs should be the last of your concerns. I think they’ve covered the engagement issue pretty well, but what I wanted to […]

I think they’ve covered the engagement issue pretty well, but what I wanted to talk about was metrics, specifically opens. Open is a fairly simple word, and it’s used in email all the time. Recipients open email. Mailbox providers measure that open. Senders measure that open.

It’s critical to remember, though, that open rates as measured by free mailbox provider and open rates tracked by a sender are not really the same thing. They’re measured in very different ways, and there is not a 1:1 mapping between the two measurements.

Free mailbox providers actually track that the message was opened. They can see the status change from “unread” to “read.”

So even though both groups claim they are tracking opens, how they’re tracking gives different data to the people measuring the information. Gmail sees me open mail all the time. Most of my clients never see me open an email in my gmail account.

Free mailbox providers and senders are using the exact same word (Open) to describe different things (rendering an image vs. actually opening the mail). I think these things are different enough to say that an open as measured by a free mailbox provider and an open measured by the sender are not the same at all.

The crux of it is that even though mailbox providers use the metric of “open” to look at engagement and even though senders use the metric of “open” to look at engagement, they’re actually looking at two totally different things.

]]>https://wordtothewise.com/2015/02/open/feed/4Email Authentication in a nutshellhttps://wordtothewise.com/2015/02/email-authentication-nutshell/
https://wordtothewise.com/2015/02/email-authentication-nutshell/#commentsTue, 10 Feb 2015 00:38:30 +0000https://wordtothewise.com/?p=7906There are 3 types of authentication currently in use for email. DKIM SPF DMARC The different strategies do different things with email. DKIM cryptographically signs emails, preventing changes in transit, and designates a “responsible domain” through the d= value in the signature. SPF compare the sending IP and the envelope from (also known as the bounce string, return […]

DKIM cryptographically signs emails, preventing changes in transit, and designates a “responsible domain” through the d= value in the signature.

SPF compare the sending IP and the envelope from (also known as the bounce string, return path or 5321.from) domain to determine if that IP is authorized to send mail using that envelope from domain.

DMARC uses DKIM authentication (d= value) or the SPF authentication (envelope from) to authenticate the visible from address (5322.from). DMARC requires that the d= value or the SPF value are in the same “organizational domain” as the visible from address. There is more data about this in my brief DMARC primer post from April 2014. In addition to authenticating the visible from address, there are two things senders can get from publishing a DMARC record. The first is a reporting scheme where you can get reports every time one of your email messages fails SPF or DKIM authentication. The second is a policy process where you ask receiving ISPs to implement a particular policy when the authentication fails (quarantine or reject).

We recommend all our clients authenticate with DKIM and SPF. The specifics of how to authenticate depend on the overall mail stream of the sender and technology available at different service providers.

Our recommendations for DMARC are a little more complex, due to the newness of the protocol and the choices that DMARC offers to senders. We’re currently recommending that clients be aware of the availability of DMARC reporting and start internal discussions and plan to implement reporting in the future. Managing DMARC reports requires some level of infrastructure to accept and process the incoming reports, and this will need to be planned for.

It’s important to understand that even if every message leaves fully authenticated different processes during mail sending (forwarding, etc) may result in authentication failures at the recipients. This means senders publishing a p=reject policy will lose legitimate mail. In the absence of security concerns, we’re not recommending publishing a policy statement (p=reject or p=quarantine) at this time. For senders who still want to implement DMARC we’re currently recommending that clients collect failure reports for a period of time (6 – 12 months in cases with complex mail systems) before making the decision to publish a p=reject record. Senders with security concerns can implement a p=reject message, but need to be clear that this may result in legitimate mail being lost.